Cups-browsed cannot bind to port 631 as non-root user on Ubuntu 23.04

The attachment "Add CAP_NET_BIND_SERVICE capability to cups-browsed binary" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

I ran into this bug a couple of days ago.

I've attached a patch that adds the CAP_NET_BIND_SERVICE capability to the postinst script of the package.

Status changed to 'Confirmed' because the bug affects multiple users.

@till-kamppeter can you please take a look at the proposed patch?

Till, please consider modifying the cups-browsed.service file instead.

Setting capabilities on a program is a lot like setting the program setuid or setgid. This capability is much less powerful than full setuid, and this capability is much less powerful than others, but still it isn't necessary for every user on the system to be able to gain this capability by executing this program.

Adding the capability via systemd's AmbientCapabilities=CAP_NET_BIND_SERVICE means the capability is only applied to the process if it is started via systemd. This means the process will only execute with elevated privileges when it is also executed from the known-good environment of pid 1.

Of course, there's some tradeoffs here -- the systemd approach will also set the securebits keep-caps option. This might leak through to helper applications that are executed by cups-browsed, if any. (Why are there always tradeoffs?)

Anyway, I think the better approach is for the capability to be set only when cups-browsed is launched via the systemd service manager, rather than for every execution of the program.

Thanks

Seth, should I create a new patch that fixes the bug using AmbientCapabilities?
Would that help or should we wait for Till's opinion?

Seth, this is an even better way, especially also as the systemd files are part of the upstream repository and by setting the capabilities there we do the change for all distributions, not just for Debian, Ubuntu, and distros derived from those.

So let us go this way.

Till, from what I understand, this bug only affects Ubuntu (Lunar and Mantic) and isn't an upstream bug as the service runs as root on Debian (As far as I can tell).

I modified the patch (0002-run-cups-browsed-as-user.patch) to add the capability on Ubuntu.

Thanks a lot for the patch.

The run-as-user I have indeed introduced only in Ubuntu, but I plan to apply the patch to the upstream repo so that it gets the standard configuration, at least for classic packaging (DEB, RPM, ...). In Snap packaging the cups-browsed.service file is not used and system daemons always run as root (which is not as critical here due to the encapsulation).

As we have still reports that cups-browsed in Ubuntu sometimes gets stuck with 100% CPU we must check whether it is cused by running as user (via debug logs).

Shouldn't it be fixed for Ubuntu (Lunar, Mantic and upcoming releases) and once it's pushed upstream rebase from it?

Unsubscribing sponsors since this looks like it will be fixed upstream, and the attached patch is not a debdiff. That being said, I think it should stay on the ubuntu-reviewers queue until Till fully incorporates the final version of the patch.

Thank you all for your work! Feel free to resubscribe ubuntu-sponsors if any of this changes.

Till, I was just wondering whether you've had the chance to consider merging the current patch? Are you working on integrating the change upstream ATM?

Thanks :)

Upstream issue at https://github.com/OpenPrinting/cups-browsed/issues/17 and upstream has said in the issue that they are not planning to add this. So, this needs to be fixed here.

Sorry for applying the patch lately. I was waiting for more input on the 100%-CPU issue (bug 2049315) and whether it has to do with cups-browsed running as normal user. But as that issue occurs only very rarely I did no succeed to get useful logs.

Now I have applied the fixed patch to the current cups-browsed package of noble. Please check whether this package is working for you.

Works on my machine (built from applied/ubuntu/devel), will test again once the package reaches the daily builds. Thanks!

This bug was fixed in the package cups-browsed - 2.0.0-0ubuntu3

---------------
cups-browsed (2.0.0-0ubuntu3) noble; urgency=medium

  * Added dependencies on pkgconf and cups >= 2.4.6-0ubuntu3 to
    to the cups-browsed-tests binary package, to make the autopkgtest
    work (LP: #2028172).

 -- Till Kamppeter <email address hidden> Tue, 16 jan 2024 12:16:33 -0300